#!/bin/bash
clear
RED="\033[31m"    # Error message
GREEN="\033[32m"  # Success message
YELLOW="\033[33m" # Warning message
BLUE="\033[36m"   # Info message
RESET='\033[0m'

if [ "$EUID" -ne 0 ]; then
  echo -e "${RED} Anda tiada kebenaran untuk menjalankan skrip ini! ${RESET}"
  exit 1
fi

function install_nginx {
  apt-get -qq update
  apt-get -y install nginx
  if [[ ! -f /etc/nginx/nginx.conf.bak ]]; then
    cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
  fi
  systemctl stop nginx

  cat >/etc/nginx/conf.d/cloudflare.conf <<-EOF
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;

set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;

real_ip_header CF-Connecting-IP;
EOF

  apt-get -y -qq install certbot
  apt-get -y -qq install python3-certbot
  apt-get -y -qq install python3-certbot-nginx

  certbot --non-interactive --agree-tos --email $emailAddr --nginx -d $hostAddr -d www.$hostAddr
  echo '10 11 * * *   root /usr/bin/certbot renew >/dev/null 2>&1' >>/etc/crontab
}

function config_nginx {
  mkdir /var/www/$hostAddr
  hostAddr=$(cat /usr/local/.environment | grep -w 'DOMAIN' | cut -d '=' -f 2)
  emailAddr=$(cat /usr/local/.environment | grep -w 'EMAIL' | cut -d '=' -f 2)
  # portV2ray=$(shuf -i10000-65000 -n1)

  cat >/var/www/$hostAddr.conf <<-EOF
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}

http {
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" '
                    '$proxy_protocol_addr:$proxy_protocol_port';
    access_log /var/log/nginx/access.log main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    include /etc/nginx/conf.d/*.conf;

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        listen [::]:80 default ipv6only=off;
        return 301 https://$http_host$request_uri;
    }
    server {
        listen unix:/dev/shm/default.sock proxy_protocol;
        listen unix:/dev/shm/h2c.sock http2 proxy_protocol;
        server_name _;
        root /usr/share/nginx/html;
        set_real_ip_from 127.0.0.1;
        include /etc/nginx/default.d/*.conf;
        location / {
        }
        error_page 404 /404.html;
            location = /40x.html {
        }
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
    server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        server_name _;
        root /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;

        include /etc/nginx/default.d/*.conf;
        location / {
        }
        error_page 404 /404.html;
            location = /40x.html {
        }
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
   }
}
EOF

  curl -fsSL https://get.acme.sh | bash
  ~/.acme.sh/acme.sh --upgrade
  ~/.acme.sh/acme.sh --issue --standalone -d $hostAddr -d www.$hostAddr --keylength ec-256
  ~/.acme.sh/acme.sh --install-cert -d $hostAddr -d www.$hostAddr \
    --key-file /var/www/$hostAddr/privkey.pem \
    --fullchain-file /var/www/$hostAddr/fullchain.pem \
    --reloadcmd "service nginx force-reload"

  nginx -t && systemctl restart nginx
}

function installation {
  install_nginx
  config_nginx

  echo
  echo -e "${GREEN} Pemasangan nginx pakej telah selesai. ${RESET}"
  echo
}

installation
